Paloalto Networks Updated PCNSE Exam Questions and Answers by digby

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B. Define a Forward Trust Certificate:

• A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C. Configure SSL decryption rules:

• SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.

The engineer should adjust the TCP maximum segment size (MSS) value on ethernet1/1 to remedy this problem. This is because the MTU on an upstream router interface is set to 1400 bytes, which is causing the return traffic from the web servers to not reach the users behind the firewall. By adjusting the TCP MSS value, the engineer can ensure that the return traffic is able to reach the users without any issues.

The TCP MSS is the maximum amount of data that can be transmitted in a single TCP segment, excluding the TCP and IP headers. The TCP MSS is usually derived from the MTU of the underlying network, which is the maximum packet size that can be transmitted without fragmentation. For example, if the MTU is 1500 bytes, which is the default value for ethernet interfaces, then the TCP MSS is 1460 bytes (1500 - 20 bytes for IP header - 20 bytes for TCP header). However, if there are intermediate devices or networks that have a lower MTU than the end-to-end path, then the TCP MSS may need to be adjusted accordingly to avoid packet loss or fragmentation1.

In this case, the firewall has an MTU of 1500 bytes on ethernet1/1, which is connected to a WAN link. However, an upstream router has an MTU of 1400 bytes on its interface, which means that any packet larger than 1400 bytes will be either dropped or fragmented by the router. This can cause problems for the return traffic from the web servers, which may have a TCP MSS of 1460 bytes or higher, depending on their MTU settings. If these packets have the Don’t Fragment (DF) bit set in their IP header, which is common for TCP packets, then they will be dropped by the router and never reach the firewall or the users behind it. If they do not have the DF bit set, then they will be fragmented by the router and reassembled by the firewall, which can cause performance degradation and overhead2.

To avoid these problems, the engineer should adjust the TCP MSS value on ethernet1/1 to match or be lower than the MTU of the upstream router. This can be done by using the CLI command set network interface ethernet ethernet1/1 tcp-mss , where is an integer between 64 and 15003. For example, if the engineer sets the TCP MSS value to 1360 bytes (1400 - 20 - 20), then this will ensure that any TCP packet sent or received by ethernet1/1 will not exceed 1400 bytes in total size, and thus will not be dropped or fragmented by the router. This will allow the return traffic from the web servers to reach the users behind the firewall without any issues4.

References: TCP Maximum Segment Size (MSS), Configure Session Settings, TCP MSS Adjustments, PCNSE Study Guide (page 59)